TUCoPS :: Windows Apps :: b06-4678.htm

Adobe/Macromedia Flash Player Vulnerability
Computer Terrorism (UK) :: Incident Response Centre - Adobe/Macromedia Flash Player Vulnerability
Computer Terrorism (UK) :: Incident Response Centre - Adobe/Macromedia Flash Player Vulnerability


Computer Terrorism  (UK) :: Incident Response Centre=0D
=0D
www.computerterrorism.com=0D 
=0D
Security Advisory: CT12-09-2006=0D
=0D
=0D
=============================================================0D
Adobe/Macromedia Flash Player - Remote Code Execution=0D
=============================================================0D
=0D
Advisory Date: 12th, September 2006=0D
=0D
Severity: Critical=0D
Impact: Remote System Access=0D
Solution Status: Vendor Patch=0D
=0D
CVE Reference:  CVE-2006-3311  =0D
=0D
=0D
=0D
Affected Software  =0D
==================0D
=0D
Adobe Flash Player 8.0.24.0 and earlier versions=0D
Adobe Flash Professional 8, Flash Basic=0D
Adobe Flash MX 2004=0D
Adobe Flex 1.5=0D
=0D
Note: All OS Platforms are vulnerable=0D
=0D
=0D
1. OVERVIEW=0D
============0D
=0D
Adobe/Macromedia Flash Player is the world's most ubiquitous Browser plug-in =0D
for Microsoft, Mozilla and Apple technologies. The plug-in claims to facilitate =0D
high-impact web interfaces and interactive online advertising for circa 98% of =0D
desktops globally.=0D
=0D
Unfortunately, it transpires that Adobe Flash Player is prone to a remote =0D
arbitrary code execution vulnerability, that allows an attacker to gain=0D
control of a target system through the simple invocation of a maliciously =0D
constructed web page.=0D
=0D
=0D
2. TECHNICAL NARRATIVE=0D
=======================0D
=0D
The vulnerability originates out of Flash's failure to sufficiently handle=0D
large dynamically generated strings at run time. As a result, it is possible =0D
(using rudimentary Action Script) to create a .swf movie in such a way that =0D
when processed by the Plug-in, will overwrite system memory at an explicit=0D
location.=0D
=0D
More specifically, the aforementioned location can (with a certain degree of =0D
accuracy) be attacker controlled via the direct manipulation of the overall =0D
length of the generated string.=0D
=0D
The net result is that of a partially controllable condition, which opens the =0D
door to a multitude of differing exploitation vectors, including but not =0D
limited to heap/stack overwrites, and/or 3rd party race conditions.=0D
=0D
=0D
3. EXPLOITATION=0D
================0D
=0D
Computer Terrorism (UK) can confirm the un-disclosed production of a reliable=0D
multi-platform & multi-browser Web based Proof-Of-Concept (PoC). Such an =0D
exploit could be used in a web-based attack scenario, where unsuspecting =0D
users are lured to a maliciously constructed website.=0D
=0D
Users that have not already done so are strongly advised to upgrade to the latest=0D
version of Flash Player or apply the appropriate fix for their particular version. =0D
=0D
=0D
4. VENDOR RESPONSE=0D
===================0D
=0D
The vendor security bulletin and corresponding patches are available at the =0D
following location:=0D
=0D
http://www.adobe.com/go/apsb06-11/=0D 
=0D
=0D
5. DISCLOSURE ANALYSIS=0D
=======================0D
=0D
12/05/2006  Preliminary Vendor notification.=0D
18/05/2006  Vulnerability confirmed in pre-release Flash 9, and earlier versions=0D
28/06/2006  Flash Player 9 released (Fixed)=0D
31/07/2006  Public Disclosure Deferred by Vendor.=0D
12/09/2006  Coordinated public release.=0D
=0D
Total Time to Fix: 4 months (123 days)=0D
=0D
=0D
6. CREDIT=0D
==========0D
=0D
The vulnerability was discovered by Stuart Pearson of Computer Terrorism (UK) Ltd=0D
=0D
=0D
=0D
=0D
====================0D
About Computer Terrorism=0D
====================0D
=0D
Computer Terrorism (UK) Ltd is a global provider of Digital Risk Intelligence services. =0D
Our unique approach to vulnerability risk assessment and mitigation has helped protect =0D
some of the worlds most at risk organisations. =0D
=0D
Headquartered in London, Computer Terrorism has representation throughout Europe & =0D
North America and can be reached at +44 (0) 870 250 9866 or email:-=0D
=0D
sales [at] computerterrorism.com=0D
=0D
To learn more about our services and to register for a FREE comprehensive website =0D
penetration test, visit: http:/www.computerterrorism.com=0D 
=0D
=0D
Computer Terrorism (UK) :: Protection for a vulnerable world.=0D
=0D
=0D
=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH